VPN e Cisco 837...molto strano

[spackmeier]

Salve a tutti, ho un problema con due apparecchi cisco 837 situati in due sedi distinte con ADSL (una Telecom e l'altra Tiscali) con un solo Ip statico.

In pratica la navigazione funziona da entrambe le sedi senza problemi ma la VPN ha dei grossi problemi. Infatti un semplice ping tra due macchine interne perde un sacco di pacchetti, anche il thelnet è lentissimo e spesso perde la connessione.

Inizialmente il cliente aveva una linea Telecom con ip statico (che ha mantenuto) e ha sostituito, per questioni di velocità in upload, la seconda line con una flat Tiscali con ip statico. Da quando ha fatto questa modifica e ha messo l'IP statico nel secondo router le prestazioni vpn si sono abbassate moltissimo, in pratica inutilizzabili...

Non vorrei che la linea Tiscali abbia dei problemi oppure che l'IP statico non sia completamente apeto (magari delle porte sono chiuse o roba smile).

Premetto inoltre che non sono un tecnico Cisco e che non ho mai configurato un apparecchio come questo tramite riga di comando. Ho gia fatto però delle VPN.

Un'altro dubbio: in ufficio uso un firewall con ip statico per fare la VPN, quindi la linea ha 8 ip Pubblici (5 fruibili effettivi). Nel caso di questo amico l'ip del router e l'ip dell'apparecchio che fa anche da firewall e vpn è lo stesso. Può funzionare correttamente o necessita comunque di 2 ip liberi?

Forse la configurazione non è corretta, ho entrambe le configurazioni da poter postare (nascondendo le chiavi di crypt e il resto).

Sto anche contattando un'azienda specializzata nella configurazione di tali apparecchi ma vorrei comunque un vostro parere.

Vi ringrazio!

[mgcomp]

Ciao!!!

Se hai 2 ip pubblici, utilizza il tunneling GRE di cisco.

Entri sui router e fai la seguente configurazione:

sulla telecom:

interface Tunnel0
description 'Tunnel verso SedeTiscali'
ip unnumbered Atm0.1
tunnel source Atm0.1
tunnel destination IPSedeTiscali
tunnel mode ipip
ip route LANSedeTiscali MaskSedeTiscali Tunnel0

sulla tiscali:

interface Tunnel0
description 'Tunnel verso SedeTelecom'
ip unnumbered Atm0.1
tunnel source Atm0.1
tunnel destination IPSedeTelecom
tunnel mode ipip
ip route LANSedeTelecom MaskSedeTelecom Tunnel0

Vedrai che ne rimmarrai impressionato....

Ciao!!

[spackmeier]

Ti ringrazio per la risposta, passo il post alla persona che farà la configurazione e vediamo cosa succede. Oltre a questo non deve cambiare nient'altro? Inoltre la Vpn fatta in questo modo è sicura? Quella che usava prima aveva un sistema di cripting...ti giro la configurazione della sede Tiscali (gazzada) e ho tolto i nomi delle chiavi di cripting e anche gli ip statici perchè non essendo mie le apparecchiature non voglio mettere in rete queste informazioni senza permesso. Giro tutto quello che mi ha mandato:

exit
Gazzada#sh run
Building configuration...

Current configuration : 4266 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Gazzada
!
no logging buffered
enable secret 5 $1$eJqJ$Vs289wJVktOECQmi8i3x01
!
username CRWS_Ritesh privilege 15 password 7 100A585D3246142A480B7B24170D2334734B54445B52000C0F00
username CRWS_Shashi privilege 15 password 7 074B700879581F24531D5A03370F3B257A616171415F4E5153
username Gazzada password 7 045C0A140B2442
no aaa new-model
ip subnet-zero
ip name-server 212.216.112.112
ip dhcp excluded-address 192.168.254.254
--More-- ip dhcp excluded-address 192.168.254.1 192.168.254.200
--More-- !
--More-- ip dhcp pool CLIENT
--More-- import all
--More-- network 192.168.254.0 255.255.255.0
--More-- default-router 192.168.254.254
--More-- lease 0 2
--More-- !
--More-- !
--More-- ip inspect name myfw cuseeme timeout 3600
--More-- ip inspect name myfw ftp timeout 3600
--More-- ip inspect name myfw rcmd timeout 3600
--More-- ip inspect name myfw realaudio timeout 3600
--More-- ip inspect name myfw smtp timeout 3600
--More-- ip inspect name myfw tftp timeout 30
--More-- ip inspect name myfw udp timeout 15
--More-- ip inspect name myfw tcp timeout 3600
--More-- ip inspect name myfw h323 timeout 3600
--More-- ip audit notify log
--More-- ip audit po max-events 100
--More-- no ftp-server write-enable
--More-- !
--More-- !
--More-- !
--More-- !
--More-- crypto isakmp policy 1
--More-- authentication pre-share
--More-- crypto isakmp key 0 nomechiave address ip router sede Telecom
--More-- !
--More-- !
--More-- crypto ipsec transform-set garden esp-des esp-sha-hmac
--More-- !
--More-- crypto map nomechiave 1 ipsec-isakmp
--More-- set peer ip sede telecom
--More-- set transform-set garden
--More-- match address 100
--More-- !
--More-- !
--More-- !
--More-- !
--More-- interface Ethernet0
--More-- description CRWS Generated text. Please do not delete this:192.168.254.254-255.255.255.0
--More-- ip address 192.168.254.254 255.255.255.0
--More-- ip nat inside
--More-- no ip mroute-cache
--More-- hold-queue 100 out
--More-- !
--More-- interface ATM0
--More-- no ip address
--More-- ip access-group 199 in
--More-- ip inspect myfw out
--More-- no ip mroute-cache
--More-- atm vc-per-vp 64
--More-- no atm ilmi-keepalive
--More-- dsl operating-mode auto
--More-- !
--More-- interface ATM0.1 point-to-point
--More-- ip address ip sede tiscali 255.255.255.254
--More-- ip nat outside
--More-- pvc 8/35
--More-- encapsulation aal5mux ppp dialer
--More-- !
--More-- crypto map nomechiave
--More-- !
--More-- interface FastEthernet1
--More-- no ip address
--More-- duplex auto
--More-- speed auto
--More-- !
--More-- interface FastEthernet2
--More-- no ip address
--More-- duplex auto
--More-- speed auto
--More-- !
--More-- interface FastEthernet3
--More-- no ip address
--More-- duplex auto
--More-- speed auto
--More-- !
--More-- interface FastEthernet4
--More-- no ip address
--More-- duplex auto
--More-- speed auto
--More-- !
--More-- interface Dialer1
--More-- no ip address
--More-- encapsulation ppp
--More-- dialer pool 1
--More-- dialer-group 1
--More-- no cdp enable
--More-- ppp authentication pap chap callin
--More-- ppp chap hostname xxxxx
--More-- ppp chap password 7 055A545C751918
--More-- ppp pap sent-username email e password per connessione
--More-- ppp ipcp dns request
--More-- ppp ipcp wins request
--More-- hold-queue 224 in
--More-- !
--More-- ip nat inside source route-map nonat interface ATM0.1 overload
--More-- ip classless
--More-- ip route 0.0.0.0 0.0.0.0 ATM0.1
--More-- ip http server
--More-- no ip http secure-server
--More-- !
--More-- access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
--More-- access-list 102 deny ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
--More-- access-list 102 permit ip 192.168.254.0 0.0.0.255 any
--More-- access-list 111 permit tcp any any eq telnet
--More-- access-list 111 permit icmp any any administratively-prohibited
--More-- access-list 111 permit icmp any any echo
--More-- access-list 111 permit icmp any any echo-reply
--More-- access-list 111 permit icmp any any packet-too-big
--More-- access-list 111 permit icmp any any time-exceeded
--More-- access-list 111 permit icmp any any traceroute
--More-- access-list 111 permit icmp any any unreachable
--More-- access-list 111 permit udp any eq bootps any eq bootpc
--More-- access-list 111 permit udp any eq bootps any eq bootps
--More-- access-list 111 permit udp any eq domain any
--More-- access-list 111 permit esp any any
--More-- access-list 111 permit udp any any eq isakmp
--More-- access-list 111 permit udp any any eq 10000
--More-- access-list 111 permit tcp any any eq 1723
--More-- access-list 111 permit tcp any any eq 139
--More-- access-list 111 permit udp any any eq netbios-ns
--More-- access-list 111 permit udp any any eq netbios-dgm
--More-- access-list 111 permit gre any any
--More-- access-list 111 deny ip any any
--More-- access-list 199 permit tcp any any established
--More-- access-list 199 permit ip host iptelecom any
--More-- access-list 199 deny ip any any
--More-- dialer-list 1 protocol ip permit
--More-- route-map nonat permit 10
--More-- match ip address 102
--More-- !
--More-- !
--More-- line con 0
--More-- exec-timeout 120 0
--More-- no modem enable
--More-- stopbits 1
--More-- line aux 0
--More-- line vty 0 4
--More-- exec-timeout 120 0
--More-- login local
--More-- length 0
--More-- !
--More-- scheduler max-task-time 5000
--More-- !
--More-- end
--More--
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#sh ip int
ATM0 is up, line protocol is up
Internet protocol processing disabled
--More-- ATM0.1 is up, line protocol is up
--More-- Internet address is ip tiscale/31
--More-- Broadcast address is 255.255.255.255
--More-- Address determined by setup command
--More-- MTU is 1500 bytes
--More-- Helper address is not set
--More-- Directed broadcast forwarding is disabled
--More-- Outgoing access list is not set
--More-- Inbound access list is not set
--More-- Proxy ARP is enabled
--More-- Local Proxy ARP is disabled
--More-- Security level is default
--More-- Split horizon is disabled
--More-- ICMP redirects are always sent
--More-- ICMP unreachables are always sent
--More-- ICMP mask replies are never sent
--More-- IP fast switching is enabled
--More-- IP fast switching on the same interface is disabled
--More-- IP Flow switching is disabled
--More-- IP CEF switching is disabled
--More-- IP Feature Fast switching turbo vector
--More-- IP multicast fast switching is enabled
--More-- IP multicast distributed fast switching is disabled
--More-- IP route-cache flags are Fast
--More-- Router Discovery is disabled
--More-- IP output packet accounting is disabled
--More-- IP access violation accounting is disabled
--More-- TCP/IP header compression is disabled
--More-- RTP/IP header compression is disabled
--More-- Policy routing is disabled
--More-- Network address translation is enabled, interface in domain outside
--More-- WCCP Redirect outbound is disabled
--More-- WCCP Redirect inbound is disabled
--More-- WCCP Redirect exclude is disabled
--More-- BGP Policy Mapping is disabled
--More-- Dialer1 is up, line protocol is up
--More-- Internet protocol processing disabled
--More-- Ethernet0 is up, line protocol is up
--More-- Internet address is 192.168.254.254/24
--More-- Broadcast address is 255.255.255.255
--More-- Address determined by non-volatile memory
--More-- MTU is 1500 bytes
--More-- Helper address is not set
--More-- Directed broadcast forwarding is disabled
--More-- Outgoing access list is not set
--More-- Inbound access list is not set
--More-- Proxy ARP is enabled
--More-- Local Proxy ARP is disabled
--More-- Security level is default
--More-- Split horizon is enabled
--More-- ICMP redirects are always sent
--More-- ICMP unreachables are always sent
--More-- ICMP mask replies are never sent
--More-- IP fast switching is enabled
--More-- IP fast switching on the same interface is disabled
--More-- IP Flow switching is disabled
--More-- IP CEF switching is disabled
--More-- IP Feature Fast switching turbo vector
--More-- IP multicast fast switching is disabled
--More-- IP multicast distributed fast switching is disabled
--More-- IP route-cache flags are Fast
--More-- Router Discovery is disabled
--More-- IP output packet accounting is disabled
--More-- IP access violation accounting is disabled
--More-- TCP/IP header compression is disabled
--More-- RTP/IP header compression is disabled
--More-- Policy routing is disabled
--More-- Network address translation is enabled, interface in domain inside
--More-- WCCP Redirect outbound is disabled
--More-- WCCP Redirect inbound is disabled
--More-- WCCP Redirect exclude is disabled
--More-- BGP Policy Mapping is disabled
--More-- FastEthernet1 is up, line protocol is up
--More-- Internet protocol processing disabled
--More-- FastEthernet2 is down, line protocol is down
--More-- Internet protocol processing disabled
--More-- FastEthernet3 is down, line protocol is down
--More-- Internet protocol processing disabled
--More-- FastEthernet4 is down, line protocol is down
--More-- Internet protocol processing disabled
--More-- Virtual-Access1 is up, line protocol is up
--More-- Internet protocol processing disabled
--More-- Virtual-Access2 is down, line protocol is down
--More-- Internet protocol processing disabled
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#sh a st
Gazzada#sh start
Gazzada#sh startup-config
Using 4341 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Gazzada
!
no logging buffered
enable secret 5 $1$eJqJ$Vs289wJVktOECQmi8i3x01
!
username CRWS_Ritesh privilege 15 password 7 100A585D3246142A480B7B24170D2334734B54445B52000C0F00
username CRWS_Shashi privilege 15 password 7 074B700879581F24531D5A03370F3B257A616171415F4E5153
username XXX password 7 XXXX
no aaa new-model
ip subnet-zero
ip name-server 212.216.112.112
ip dhcp excluded-address 192.168.254.254
ip dhcp excluded-address 192.168.254.1 192.168.254.200
--More-- !
--More-- ip dhcp pool CLIENT
--More-- import all
--More-- network 192.168.254.0 255.255.255.0
--More-- default-router 192.168.254.254
--More-- lease 0 2
--More-- !
--More-- !
--More-- ip inspect name myfw cuseeme timeout 3600
--More-- ip inspect name myfw ftp timeout 3600
--More-- ip inspect name myfw rcmd timeout 3600
--More-- ip inspect name myfw realaudio timeout 3600
--More-- ip inspect name myfw smtp timeout 3600
--More-- ip inspect name myfw tftp timeout 30
--More-- ip inspect name myfw udp timeout 15
--More-- ip inspect name myfw tcp timeout 3600
--More-- ip inspect name myfw h323 timeout 3600
--More-- ip audit notify log
--More-- ip audit po max-events 100
--More-- no ftp-server write-enable
--More-- !
--More-- !
--More-- !
--More-- !
--More-- crypto isakmp policy 1
--More-- authentication pre-share
--More-- crypto isakmp key 0 XXXX address ip telecom
--More-- !
--More-- !
--More-- crypto ipsec transform-set garden esp-des esp-sha-hmac
--More-- !
--More-- crypto map nomechiave 1 ipsec-isakmp
--More-- set peer ip telecom
--More-- set transform-set garden
--More-- match address 100
--More-- !
--More-- !
--More-- !
--More-- !
--More-- interface Ethernet0
--More-- description CRWS Generated text. Please do not delete this:192.168.254.254-255.255.255.0
--More-- ip address 192.168.254.254 255.255.255.0
--More-- ip nat inside
--More-- ip tcp adjust-mss 1452
--More-- no ip mroute-cache
--More-- hold-queue 100 out
--More-- !
--More-- interface ATM0
--More-- no ip address
--More-- ip access-group 199 in
--More-- ip inspect myfw out
--More-- no ip mroute-cache
--More-- atm vc-per-vp 64
--More-- no atm ilmi-keepalive
--More-- dsl operating-mode auto
--More-- !
--More-- interface ATM0.1 point-to-point
--More-- ip nat outside
--More-- pvc 8/35
--More-- encapsulation aal5mux ppp dialer
--More-- dialer pool-member 1
--More-- !
--More-- !
--More-- interface FastEthernet1
--More-- no ip address
--More-- duplex auto
--More-- speed auto
--More-- !
--More-- interface FastEthernet2
--More-- no ip address
--More-- duplex auto
--More-- speed auto
--More-- !
--More-- interface FastEthernet3
--More-- no ip address
--More-- duplex auto
--More-- speed auto
--More-- !
--More-- interface FastEthernet4
--More-- no ip address
--More-- duplex auto
--More-- speed auto
--More-- !
--More-- interface Dialer1
--More-- ip address negotiated
--More-- ip access-group 111 in
--More-- ip nat outside
--More-- ip inspect myfw out
--More-- encapsulation ppp
--More-- dialer pool 1
--More-- dialer-group 1
--More-- no cdp enable
--More-- ppp authentication pap chap callin
--More-- ppp chap hostname configper tiscali
--More-- ppp chap password 7 055A545C751918
--More-- ppp pap sent-username xxxpassword 7 xxxxx
--More-- ppp ipcp dns request
--More-- ppp ipcp wins request
--More-- crypto map nomechiave
--More-- hold-queue 224 in
--More-- !
--More-- ip nat inside source route-map nonat interface Dialer1 overload
--More-- ip classless
--More-- ip route 0.0.0.0 0.0.0.0 Dialer1
--More-- ip http server
--More-- no ip http secure-server
--More-- !
--More-- access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
--More-- access-list 102 deny ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
--More-- access-list 102 permit ip 192.168.254.0 0.0.0.255 any
--More-- access-list 111 permit tcp any any eq telnet
--More-- access-list 111 permit icmp any any administratively-prohibited
--More-- access-list 111 permit icmp any any echo
--More-- access-list 111 permit icmp any any echo-reply
--More-- access-list 111 permit icmp any any packet-too-big
--More-- access-list 111 permit icmp any any time-exceeded
--More-- access-list 111 permit icmp any any traceroute
--More-- access-list 111 permit icmp any any unreachable
--More-- access-list 111 permit udp any eq bootps any eq bootpc
--More-- access-list 111 permit udp any eq bootps any eq bootps
--More-- access-list 111 permit udp any eq domain any
--More-- access-list 111 permit esp any any
--More-- access-list 111 permit udp any any eq isakmp
--More-- access-list 111 permit udp any any eq 10000
--More-- access-list 111 permit tcp any any eq 1723
--More-- access-list 111 permit tcp any any eq 139
--More-- access-list 111 permit udp any any eq netbios-ns
--More-- access-list 111 permit udp any any eq netbios-dgm
--More-- access-list 111 permit gre any any
--More-- access-list 111 deny ip any any
--More-- access-list 199 permit tcp any any established
--More-- access-list 199 permit ip host ip telecom any
--More-- access-list 199 deny ip any any
--More-- dialer-list 1 protocol ip permit
--More-- route-map nonat permit 10
--More-- match ip address 102
--More-- !
--More-- !
--More-- line con 0
--More-- exec-timeout 120 0
--More-- no modem enable
--More-- stopbits 1
--More-- line aux 0
--More-- line vty 0 4
--More-- exec-timeout 120 0
--More-- login local
--More-- length 0
--More-- !
--More-- scheduler max-task-time 5000
--More-- !
--More-- end
--More--
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#
Gazzada#st?
start-chat

Gazzada#st ?
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
access-template Create a temporary Access-List entry
archive manage archive files
auto Exec level Automation
cd Change current directory
clear Reset functions
clock Manage the system clock
cns CNS agents
configure Enter configuration mode
connect Open a terminal connection
copy Copy from one file to another
crypto Crypto
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
disable Turn off privileged commands
disconnect Disconnect an existing network connection
dot1x Dot1x Exec Commands
enable Turn on privileged commands
--More--

[mgcomp]

Puoi utilizzare ipsec per criptare il traffico nei tunnel.

Se configuri bene i 2 router non hai bisogno di altre apparecchiature...

Buon lavoro!!!

Spero di essere stato di aiuto, cmq se ti servono più informazioni sulla configurazione, prova a consultare il sto www.cisco.com ; lì trovi praticamente tutto.

Ciao!!

[spackmeier]

Spero che il tuo post sia utile e ci aiuti a risolvere il problema.

In ogni caso ti devo ringrazia per la velocità delle risposte!!!

Se avrò esito positivo ti farò sapre, grazie ancora.

[spackmeier]

Il mio amis mi dice:

Prima di impostare il tunnel GRE voglio sapere: ma poi chi definisce qual'è il traffico da indirizzare sul tunnel e quello da lasciare andare sulla rete? Andranno definite delle Access-list? E i NAT a questo punto dove vanno infilati? sull'ATM0.1?

Grazie ancora!!!

[mgcomp]

Allora....

Devi impostare delle rotte statiche, cmq avevo già scritto...

ip route LANSedeTelecom MaskSedeTelecom Tunnel0
ip route 0.0.0.0 0.0.0.0 Atm0.1

In questo modo tutto il traffico che avrà come destinazione LANSedeTelecom verrà fatto passare nel tunnel, mentre tutto il resto verrà fatto passare dall'Atm0.1.

Esempio pratico di rotte statiche:

Sede Telecom (es. LAN 192.168.0.0/24):

ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 Atm0.1

Sede Tiscali (es. LAN 192.168.1.0/24):

ip route 192.168.0.0 255.255.255.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 Atm0.1


Cioè da una parte metti la rotta per vedere l'altra rete e viceversa.

E' semplicissimo, più di quanto possa sembrare.

Ciao!!

[spackmeier]

Lo so ma sto facendo da tramite con un mio amico che ha un sacco di dubbi. Se conoscessi un po meglio le apparecchiature cisco lo aiuterei io. In ogni caso ti ringrazio. In settimana proviamo e ti faccio sapere!!!